Setting the AD groups managers (managedBy)

as data owners
Content
1. Add attributes DistinguishedName and managedBy to the identity collector ..................2
2. Create a Data Source and name it “Managers for ADgroups” ...........................................3
Check the columns where the above info is stored in the DB ...............................................3
Create a Data Source “SQL Server Database” type. .............................................................. 3
3. Set a Scope to the groups’ owners .....................................................................................6
4. Grant Owner Capabilities for the imported owners .......................................................... 6
Document Revision History........................................................................................................8
1. Add attributes DistinguishedName and managedBy to the identity
collector
From the Admin Console, Go to Applications-Configuration-Permissions Collection-
Identity Collectors.
Edit the primary domain Identity Collector.
Go to Groups Collection page of the wizard.
And add the following attributes to the Properties to Fetch:
• DistinguishedName
• managedBy

add a mapping:

From the Website, run the Identity Collector Task.

2. Create a Data Source and name it “Managers for ADgroups”
Check the columns where the above info is stored in the DB
Connect to SecurityIQ DB and run the following query:
SELECT * FROM whiteops.ra_role
Check the titles of the columns that stores the distinguishedName and the managedBy
fields. In the attached example
• distinguishedName appears in column role_field2
• managedBy appears in column role_field1

Create a Data Source “SQL Server Database” type.

Create the query that based on SecurityIQ-Internal

Query:
SELECT bs.full_path 'Group (Resource Full Path)','SERI Active Directory' AS 'Application
Name','False' AS 'Allow Full Scope',ru.user_domain AS 'Owner Domain',ru.[user_name] AS
'Owner Name'
FROM whiteops.ra_role rr
INNER JOIN whiteops.ra_user ru ON rr.role_field1=ru.user_full_name
INNER JOIN whiteops.business_service bs ON bs.full_path=rr.role_field2

Test it and verify you can see results:

Click Finish.
3. Set a Scope to the groups’ owners
Go to SecurityIQ Web interface

Settings->Capabilities -> and set the values as appear in the

screenshot

4. Grant Owner Capabilities for the imported owners

Login to FAM SQL DB and run the following script”

INSERT INTO [whiteops].[web_role_ra_user](ra_user_id,web_role_id)

SELECT DISTINCT(ru.id), 3 -- the number 3 means Data Owner cability
FROM whiteops.ra_role rr
INNER JOIN whiteops.ra_user ru On rr.role_field1=ru.user_full_name

Verify you see these users as Owners:

Document Revision History
Revision Date Written/Edited By Comments
June25nd 2017 Tom Blinder Original document
Feb 24th 2021 Tom Blinder Updating to 8.x structure